itlawwikiaorg-20200214-history
Cybersecurity
Definitions General '''Cybersecurity' (also called cyberspace security and cyber security) is Cybersecurity is the security of cyberspace.Cybersecurity: Selected Issues for the 115th Congress, at 1. ITU Cybersecurity is Background "Cybersecurity issues arise because of three factors taken together — the presence of malevolent actors in cyberspace, societal reliance on IT for many important functions, and the inevitable presence of vulnerabilities in IT systems that malevolent actors can take advantage of."At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 2. "Cybersecurity problems result from the complexity of modern IT systems and human fallibility in making judgments about what actions and information are safe or unsafe from a cybersecurity perspective."''Id. "Cybersecurity is a complex subject whose understanding requires knowledge and expertise from multiple disciplines, including but not limited to computer science and information technology, psychology, economics, organizational behavior, political science, engineering, sociology, decision sciences, international relations, and law. Although technical measures are an important element, cybersecurity is not primarily a technical matter, although it is easy for policy analysts and others to get lost in the technical details. Furthermore, what is known about cybersecurity is often compartmented along disciplinary lines, reducing the insights available from cross-fertilization.Id. at 5. "Cyberspace is particularly difficult to secure due to a number of factors: the ability of malicious actors to operate from anywhere in the world, the linkages between cyberspace and physical systems, and the difficulty of reducing vulnerabilities and consequences in complex cyber networks."Department of Homeland Security, The 2014 Quadrennial Homeland Security Review, at 39 (June 18, 2014) (full-text). Cybersecurity is intertwined with the physical security of assets — from computers, networks, and their infrastructure to the environment surrounding these systems. Cybersecurity is a major concern of both the federal government and the private sector. Cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. Vulnerabilities might allow an attacker to penetrate a network, gain access to control software, and alter load conditions to destabilize a network in unpredictable ways. Cybersecurity has been called “one of the most urgent national security problems facing the new administration."Securing Cyberspace for the 44th Presidency. In a speech during his first presidential campaign, President Obama promised to “make cyber security the top priority that it should be in the 21st century . . . and appoint a National Cyber Advisor who will report directly” to the President.July 17, 2008 speech at Purdue University. Cybersecurity is a cross-cutting field that affects many government and non-governmental stakeholders. As such, one of the most basic concerns, but most difficult to address, is that the term itself can carry different connotations for the various entities. For example, the U.S. military views cyberspace as a warfighting domain as well as a force enabler, enhancing troops’ ability to operate in real-time and with improved situational awareness. For the Department of Defense, cybersecurity takes on an offensive or defensive national security role. For other government stakeholders, cybersecurity means information security, or securing the information that resides on cyber infrastructure such as telecommunications networks, or the processes these networks enable. And for some, cybersecurity means protecting the information infrastructure from a physical or electronic attack. Another cybersecurity difficulty for the government is balancing the protection of civil liberties and individual privacy protections with the desire for comprehensive security of networks and information. It is difficult to secure information infrastructures and their content without tradeoffs between security and the freedoms associated with the Internet. Many concerned about civil liberties fear that the executive branch will use its national security powers and national defense mandate as justification for encroaching on privacy without adequate oversight. Others regard security measures, such as network traffic monitoring, as a violation of the Universal Declaration of Human Rights, which states that "no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence."Article 12 of the Universal Declaration of Human Rights (full-text). Complicating the issue is a lack of consensus on the definition of "privacy" in the context of the Internet, and a lack of consensus on what sort of government resolution may be necessary as a network security measure. Threats to cybersecurity "Threats to cybersecurity evolve, and adversaries — especially at the high-end part of the threat spectrum — constantly adopt new tools and techniques to compromise security when defenses are erected to frustrate them. As information technology becomes more ubiquitously integrated into society, the incentives to compromise the security of deployed IT systems grow. Thus, enhancing the cybersecurity posture of a system — and by extension the organization in which it is embedded — must be understood as an ongoing process rather than something that can be done once and then forgotten."At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 2-3. "The interconnectedness and openness that the Internet, digital networks, and devices allow have also made securing our cyber landscape a task of unparalleled difficulty. As the world becomes more dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens. Beyond the resulting economic losses and national security threats, our privacy, civil liberties, and constitutional rights — even the voting system that underlies our democracy — all become vulnerable. For now, technological advancement continues to outpace security and will continue to do so unless shifts in our cybersecurity strategies — and how well we implement those strategies — are made.Report on Securing and Growing the Digital Economy, at 3. Federal role The federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for CI. More than 50 statutes address various aspects of cybersecurity. Figure 1 is a simplified schematic diagram of major agency responsibilities in cybersecurity. In general, the National Institute of Standards and Technology (NIST) develops standards that apply to federal civilian ICT under the Federal Information Security Management Act of 2002 (FISMA), and the Office of Management and Budget (OMB) is responsible for overseeing their implementation. The Department of Defense (DOD) is responsible for military ICT, defense of the nation in cyberspace, and, through the National Security Agency (NSA), security of national security systems (NSS), which handle classified information. NSA is also part of the Intelligence Community (IC). The Department of Homeland Security (DHS) has operational responsibility for protection of federal civilian systems and is the lead agency coordinating federal efforts assisting the private sector in protecting CI assets. It is also the main federal focus of information sharing for civilian systems through its National Cybersecurity and Communications Integration Center (NCCIC). The Department of Justice (DOJ) is the lead agency for enforcement of relevant laws. In February 2015, the Obama Administration also established, via presidential memorandum, the Cyber Threat Intelligence Integration Center (CTIIC) under the Director of National Intelligence (DNI). Its purposes are to provide integrated analysis on cybersecurity threats and incidents affecting national interests across the federal government and to support relevant government entities, including the NCCIC and others at DOD and DOJ. International aspects There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation. A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings. The global aspects of cyberspace present key challenges to U.S. policy (see table). Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace. Consumer acceptance Cyber security has largely failed to gain wide adoption in many consumer products for a variety of reasons, including a lack of appreciation for consequences of insecurity, the difficulty of developing secure products, performance and cost penalties, user inconvenience, logistical problems for organizations in implementing and consistently maintaining security practices, and the difficulty of assessing the value of security improvements. But consumer and enterprise concerns have been heightened by increasingly sophisticated hacker attacks and identity thefts, warnings of "cyberterrorism," and the pervasiveness of IT uses. Consequently, many in the computer industry have come to recognize that the industry’s continued ability to gain consumer confidence in new, more capable applications will depend on improved software development and systems engineering practices and the adoption of strengthened security models. References Source * "Federal role" section: Cybersecurity Issues and Challenges: In Brief, at 3-4. See also * Actions to Strengthen Cybersecurity and Protect Critical IT Systems * APEC Cybersecurity Strategy * Commission on Cybersecurity for the 44th Presidency * Compliance-based cybersecurity * Comprehensive National Cybersecurity Initiative * Cybersecurity architecture * Cybersecurity awareness * Cybersecurity Bill of Rights * Cybersecurity control assessment * Cybersecurity controls * Cybersecurity Coordinator * Cybersecurity for Critical Infrastructure Protection * Cybersecurity for Electronic Devices * Cybersecurity for the Homeland * Cybersecurity guidance * Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination * Cybersecurity Issues and Challenges: In Brief * Cybersecurity Office * Cybersecurity of Freight Information Systems: A Scoping Study - Special Report 274 * Cybersecurity Partners Local Access Plan * Cybersecurity plan * Cybersecurity policy * Cybersecurity requirements * Cybersecurity Research and Development Act of 2002 * Cybersecurity risk * Cybersecurity Roadmap * Cybersecurity threat * Cybersecurity Today and Tomorrow: Pay Now or Pay Later * Cybersecurity Wiki * Cybersecurity, Innovation, and the Internet Economy * Cybersecurity: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats * Cybersecurity: Continued Attention Needed to Protect Our Nation's Critical Infrastructure * Cybersecurity: Continued Attention Needed to Protect Our Nation's Critical Infrastructure and Federal Information Systems * Cybersecurity: Continued Efforts Are Needed to Protect Information Systems From Evolving Threats * Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development * Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative * Cybersecurity: Threats Impacting the Nation * Cyberwarfare and Cybersecurity * National Cybersecurity Protection System * Office of Cybersecurity and Communications * Risk-based cybersecurity * Technology Assessment: Cybersecurity for Critical Infrastructure Protection * U.S. Cybersecurity Coordinator * Why is Cyber Security a Problem? External resources * Center for Strategic and International Studies, Cybersecurity (full-text). . * Herbert Lin, "A Virtual Necessity: Some Modest Steps Toward Greater Cybersecurity," Bull. of the Atomic Scientists (Sept. 1, 2012) (full-text). * Arnold, Rob (2017). Cybersecurity: A Business Solution. Category:Cybersecurity Category:Definition